Best Practice for Offloading – EAP-SIM/AKA
SIM-based authentication is the best practice for authentication for mobile data offloading as it utilizes the same mechanism as in the cellular network making the authentication process seamless and secure for the end-user. An automatic authentication process in combination with smartphones’ tendency to prioritize Wi-Fi over cellular connections will ensure a high rate of offloaded users.
The Enea Aptilo SMP SIM Authentication authenticates users based on the information retrieved from the HLR, HSS or AUSF in the mobile core in accordance with the 3GPP AAA functionality.
The Wi-Fi network must support 802.1x to deliver SIM credentials to the SIM authentication function, which provides the additional benefit of encrypting the Wi-Fi link with the same level of security as that found in the cellular network. The security and the automatic authentication process make the Wi-Fi network a trusted extension of the cellular network. Together with the new IEEE 802.11u standard, SIM-based EAP-SIM/AKA authentication has become the foundation of the next generation hotspot – Hotspot 2.0 (Passpoint), defined by the Hotspot 2.0 Task Group in the Wi-Fi Alliance.
There are currently 22+ billion devices connected to Wi-Fi; not all will have SIM cards or support for EAP-SIM/AKA. Operators will need alternative authentication methods to support these customers.
Alternative Wi-Fi Authentication Methods
Service providers always need to balance security with user experience in real-world deployments. We support several authentication methods which can act as alternatives to EAP-SIM/AKA. Service providers can use these methods to expand with legacy and Wi-Fi-only devices that do not have SIM cards or support for SIM authentication mechanisms.
We allow the service provider to mix authentication methods to create more innovative user experiences. For example, SIM-authenticate users automatically before pushing them to a captive portal to approve a daily charge amount or receive a commercial message (“bill chock prevention”).
Delivering a password via SMS to the user or silently to an app is the best way to identify a user securely on an open SSID Wi-Fi network.
A prevalent method for Wi-Fi networks running on an open SSID is to use mac-based authentication, where the device’s unique Media Access Control address (MAC) is used for identification. This mechanism provides a seamless user experience with automatic login to the Wi-Fi network. It is often used as a re-authentication mechanism for short-term accounts at Wi-Fi hotspots.
Device manufacturers have started to randomize MAC addresses to protect users’ privacy. At this point, they keep the same randomized MAC address per SSID. This protects users’ privacy when they move between Wi-Fi networks while allowing for the automatic login of returning users.
Since MAC addresses can be spoofed, service providers do not commonly use MAC-based authentication as the primary authentication mechanism for long-term accounts. The location-based multi-device login is an Enea (Aptilo) invention that allows mobile operators to achieve a greater level of security for MAC-based authentication of devices in Wi-Fi networks. It makes an automatic MAC-based authentication for multiple devices more secure by tying them to an active mobile phone belonging to the same subscriber, already authenticated via a secure EAP method at the same location.
Unified 3GPP Wi-Fi Access
The 3GPP Wi-Fi access standard requires SIM authentication (EAP-SIM/AKA), where policies are retrieved from the subscriber profile in the HLR/HSS/AUF during the authentication process. These policies are crucial for the Wi-Fi service and include things such as APN and parameters for setting up the individual GTP tunnel for backhauling the user’s traffic to the mobile core (if that option is used).
Enea Aptilo Wi-Fi SMP already enables 3GPP Wi-Fi access for mobile phones with SIM cards using EAP-SIM/AKA. We can also extend 3GPP Wi-Fi access support to all Wi-Fi devices, including those without SIM cards or those with SIM cards but lacking support for SIM authentication (EAP-SIM/AKA). This innovation utilizes the highly secure EAP-TTLS/PEAP authentication method instead of EAP-SIM/AKA while retrieving policies from the subscriber profile in HLR/HSS/AUF as if it was an EAP-SIM/AKA authentication. The Enea Aptilo SMP retrieves the user’s subscriber profile using the MSISDN (mobile number) rather than the IMSI (SIM card ID) as an identifier while using EAP-TTLS rather than EAP-SIM/AKA for security. In other words, we make 3GPP Wi-Fi access possible in real-world deployments by adding support for devices lacking SIM authentication capabilities.